A typical response to a cyberattack can unwittingly help the criminals, because targets stay quiet about the breach and spurn outside help, Mike Day says.
“The legal team says, ‘We’re on the hook for a lot of data,’ and they put down the cone of silence. Then the marketing people say, ‘We’ve got to protect our brand … (and) control what our customers are able to see,’” said the founder and executive officer of TribalHub, a national network of resources for tribal governments and enterprises. “All of those standard playbook things play right into the hands of the bad guys, not the hands of the people trying to protect your organizations.”
The recently formed Tribal-ISAC (Tribal Information Sharing and Analysis Center) provides Native American and Alaska Native tribes with an alternative that can help prevent or mitigate cyberattacks and warn tribes of cyber threats to a variety of their operations, including gaming, health care, and all areas of tribal government.
Day said businesses and organizations often are reluctant to share security information with outsiders, but an ISAC provides a trusted format to do that anonymously, while getting help. An ISAC helps owners and operators protect critical infrastructure facilities, personnel, and customers from cyber- and physical-security threats, according to the National Council of ISACs, formed in 2003. Nationwide, more than 20 centers serve specific sectors, such as automotive, electrical power, health care, transportation, defense, and elections.
Tribal-ISAC is a division of the not-for-profit Tribal Share Inc. and independent of TribalHub. It was chartered in February after years of discussion, Day said. The center’s steering committee consists of Toni Pepper, chief information technology officer for the San Manuel Band of Mission Indians; Bill Travitz, director of the Office of Information Technology for the Eastern Band of Cherokee Indians; Robert Aton, IT director of the Mill Casino, operated by the Coquille Indian Tribe; Lee Edberg, IT cybersecurity manager for Mystic Lake Casino Hotel, operated by the Shakopee Mdewakanton Sioux Community; and Day.
Forming an ISAC specifically for tribes was a “unique challenge,” Day said.
“They’re not really an industry per se. It’s more of a community, and they’re sovereign governments on top of running enterprises. It was really difficult to get them linked to any existing government-run or commercially run (ISAC).” Tribal-ISAC monitors potential threats involving all services that tribes provide, including government, infrastructure, gaming, retail, utilities, water service, and dams.
News reports of some cyberattacks on tribal casinos have included six in Oklahoma hit by ransomware in June and a California casino shut down for three weeks in September.
“There’s a lot more that haven’t made the national press,” Day said, calling cyberattacks a “regular occurrence” targeting tribal health and government operations, as well as gaming.
A Tribal-ISAC member that encounters a ransomware or other cyberattack would report it to the center while the tribe, facility, and location remain anonymous to the group at large. That alerts others to a problem they might face and allows the tribe reporting the attack to get advice on handling it.
“You’re connecting to all of these other tribes, some of them with far more security resources,” Day said, noting that many tribes have few IT specialists. “You’ve increased your capabilities ten-fold, a hundred-fold, just by being a part of the community. You’ve got a bunch of folks who want to help and who want to maintain anonymity while they’re doing it. They want to help you succeed, because by protecting you, they’re protecting themselves.”
In addition, Tribal-ISAC analysts sift through volumes of information to focus on potential threats to tribal operations and provide daily, weekly, and monthly summaries to members.
“We’re taking this tidal wave of info and giving you something manageable that says, ‘This is what’s extremely important to people working in your industry or community,’” Day said. Tribal-ISAC also provides monthly training sessions and other tools to help members protect their own resources and collaborates with ISACs representing other sectors. Day said the group also works with the Department of Homeland Security, the nonprofit Center for Internet Security, and the federal Cybersecurity and Infrastructure Security Agency (CISA).
The center already has 70 members, but Day said he hopes all tribes, including those without gaming operations, will join.
Day noted that casinos are accustomed to sharing information about physical threats, such as compiling “blacklists” of cheaters, but cybercrime evokes a “completely opposite” response.
“You go completely silent, which is not helping the community or the industry,” he said. “It’s only helping the perpetrators, because it’s allowing them to keep doing what they’re doing.”
